> This is to announce the release of Pound v2.0b1. This is an experimental
> interim release.
>
> Changes in this version:
>
> - new configuration file syntax, offering significant improvements.

Hi Robert,

Thanks for the new beta release. I've just tried to update my rpm package
and found some things in 2.0b1:

- ListenHTTPS doesn't work, attached patch fixes it
- the examples in the man page sometimes use 'Server' instead of 'Service'

I like the new config file syntax but as an rpm maintainer, I'm not sure
how to deal with the change. It would be extremely helpful to have some
kind of upgrade program to convert an old style config file to the new
one. Maybe some perl guru can provide this in a one liner, anyone?

For those interested, a first source rpm is here:
http://www.invoca.ch/pub/packages/pound/beta/

Regards,
Simon

On Tue, 2005-11-01 at 13:03 +0100, Simon Matter wrote:
> Thanks for the new beta release. I've just tried to update my rpm package
> and found some things in 2.0b1:
> 
> - ListenHTTPS doesn't work, attached patch fixes it

Many thanks - I'll look into it.

> - the examples in the man page sometimes use 'Server' instead of 'Service'

Already fixed...
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Robert Segall wrote:

>The software is at version 2.0b1 (alpha-ish quality). A lot of testing
>(especially under heavy loads and complex configurations), improvements
>and suggestions are welcome.
>  
>

It would be really nice if there was an option to have pound append to 
x-forwarded-for if the backend is remote.  This would enable improved 
logging/security on the backends rather than those backends seeing the 
hits all coming from the same ip address (pound's ip).

On Tue, 2005-11-01 at 13:25 -0600, FX wrote:
> It would be really nice if there was an option to have pound append to 
> x-forwarded-for if the backend is remote.  This would enable improved 
> logging/security on the backends rather than those backends seeing the 
> hits all coming from the same ip address (pound's ip).

Funny, but I thought Pound sets the X-Forwarded-for with the client
address. Has been doing so since version 0.4 at least.

As a side-note: I can understand logging, but I would never, ever trust
the client address for security stuff.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

----- Original Message ----- 
From: "Robert Segall" <roseg(at)apsis.ch>
To: <pound(at)apsis.ch>
Sent: Tuesday, November 01, 2005 12:25 AM
Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load
balancer - v2.0b1


> On Sun, 2005-10-30 at 13:53 +0800, Eric dai wrote:
>> Suggestion as below:
>> 1) add separately CRLfiles setting ,currently ,CRL files is a part of verify
files , This is not good for somecase
> 
> Why?
becase in most case ,CRL is changed periodly now it is combined with
Verfifylist 
anotherway ,suggest add a unix SIGNGLE to pound to reload the config and
without interrupt of current service
Another way ,sometimes client certs will be issued by more then 1 CA ,typically
,when a system moved from CA A to CA B.
in order to move smoothly ,it need the certs both CA A and CA B can work

> 
>> 2) currently ,we can use more LisentHTTPS  but all of them share a commom
setting of Http_headers
>>    Suggest each LisentHTTPS have their own cert ,CAfiles ,Verfify files ,and
CRL files
> 
> Have you even looked at 2.0b1?
Sorry ,I test 2.0b1 ,it can do it

> 
>> 3)  add verify path setting  
if customer use more than once CA and each CA contains a long certifacte chains

for instance 
    CA A has a chain :  operator CA  , policy CA  ,root CA
     CA B also , I have to combine all 6 CA PEM file to 1 file as a verifylist
 In most commerical product including F5 networks and CICSO ,they use a verify
CApath instead .of couse ,user need prepare the CApath --hash their CA chain
files to XXXX.0


>> 4) add CRL auto update from LDAP (RFC 2587) or OCSP support
  CRL is always in changed , so many commerical product use CDP to identify how
to retrieve the lastest CRL files via ldap/url  and etc .
   also  if we meet more CAs which issued the client's cert ,we always prefer
the OCSP solution ,use a standalone OCSPD server to verify the cert's status 



>> 5) SSL session cache support like modssl 
  just modssl do it ,and many website is optimized for it 
>> 6) allow use redirect to spcified URL with SSL-errorcode when SSL verify
fails 

>> 7) for https header inserted , use a mask to select if we need insert
CN/After/Validation before ....
>>   also have a option to insert the client X509 cert with single-line or
multi-lins format
> 
> Please try to slow down for a moment and consider if your suggestions
> are really necessary (do they add anything to the program), and if they
> make sense. Are your suggestions based just on seeing the same features
> in other systems, or can you show us a real need for them? Is it worth
> the effort and extra complexity?

Actually ,I am a product manager of a Commerical SSL offloader company ,all
this feature request is based on real demand and feedback from our customers

> -- 
> Robert Segallr
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-44-920 4904
> 
> 
> -- 
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://192.168.1.2:8080/Apsis/pound/pound_list/manage_mailboxer

Do you consider use XML as config file or make a webgui

thanks and best regards
    eric dai

On Thu, Oct 20, 2005 at 06:52:46PM +0200, Robert Segall wrote:
> This is to announce the release of Pound v1.9.4. This is primarily a
> feature-enhancement interim release.
> 
> Changes in this version:
> 
> - the log facility may now be dynamically defined in the configuration
> file. New directive: LogFacility name. The autoconf script flag has been
> changed from --with-log=name to --enable-log (or disable). Thanks to
> Samuel Leucart for the suggestion.

The regexp for this doesn't cater for the facilities local[0-7]

This is what I changed the line to

regcomp(&LogFacility, "^[ \t]*LogFacility[ \t]+([a-z]+[0-7])[ \t]*$",
REG_ICASE | REG_NEWLINE | REG_EXTENDED)

On Wed, 2005-11-02 at 23:22 +0800, Eric dai wrote:
> ----- Original Message ----- 
> From: "Robert Segall" <roseg(at)apsis.ch>
> To: <pound(at)apsis.ch>
> Sent: Tuesday, November 01, 2005 12:25 AM
> Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load
balancer - v2.0b1
> 
> 
> > On Sun, 2005-10-30 at 13:53 +0800, Eric dai wrote:
> >> Suggestion as below:
> >> 1) add separately CRLfiles setting ,currently ,CRL files is a part of
verify files , This is not good for somecase
> > 
> > Why?
> becase in most case ,CRL is changed periodly now it is combined with
Verfifylist 

So? A small script will create it easily.

> anotherway ,suggest add a unix SIGNGLE to pound to reload the config and
without interrupt of current service

Have you looked at past postings? This subject was discussed to death...

> Another way ,sometimes client certs will be issued by more then 1 CA
,typically ,when a system moved from CA A to CA B.
> in order to move smoothly ,it need the certs both CA A and CA B can work

So?

> > 
> >> 2) currently ,we can use more LisentHTTPS  but all of them share a commom
setting of Http_headers
> >>    Suggest each LisentHTTPS have their own cert ,CAfiles ,Verfify files
,and CRL files
> > 
> > Have you even looked at 2.0b1?
> Sorry ,I test 2.0b1 ,it can do it
> 
> > 
> >> 3)  add verify path setting  
> if customer use more than once CA and each CA contains a long certifacte
chains 
> for instance 
>     CA A has a chain :  operator CA  , policy CA  ,root CA
>      CA B also , I have to combine all 6 CA PEM file to 1 file as a
verifylist
>  In most commerical product including F5 networks and CICSO ,they use a
verify CApath instead .of couse ,user need prepare the CApath --hash their CA
chain files to XXXX.0

If you have the directory you can create the file. What's the point in
duplicating the effort?

> >> 4) add CRL auto update from LDAP (RFC 2587) or OCSP support
>   CRL is always in changed , so many commerical product use CDP to identify
how to retrieve the lastest CRL files via ldap/url  and etc .
>    also  if we meet more CAs which issued the client's cert ,we always prefer
the OCSP solution ,use a standalone OCSPD server to verify the cert's status 

OSCP is a nice idea - for the future. Right now it is hardly in what one
would call widespread use.

> >> 5) SSL session cache support like modssl 
>   just modssl do it ,and many website is optimized for it 

So?

> >> 6) allow use redirect to spcified URL with SSL-errorcode when SSL verify
fails 

Noted.

> >> 7) for https header inserted , use a mask to select if we need insert
CN/After/Validation before ....
> >>   also have a option to insert the client X509 cert with single-line or
multi-lins format
> > 
> > Please try to slow down for a moment and consider if your suggestions
> > are really necessary (do they add anything to the program), and if they
> > make sense. Are your suggestions based just on seeing the same features
> > in other systems, or can you show us a real need for them? Is it worth
> > the effort and extra complexity?
> 
> Actually ,I am a product manager of a Commerical SSL offloader company ,all
this feature request is based on real demand and feedback from our customers

As a product manager I hope you know better than to drop a whole list of
new feature requests on your developers as they try to get a stable beta
out. We released 2.0b1 for community testing in the hope of getting some
useful feedback on it. New features shall be considered once we have a
stable 2.0 release.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Hi Robert and all,

On Thu, 2005-11-03 at 14:41 +0100, Robert Segall wrote:

> As a product manager I hope you know better than to drop a whole list of
> new feature requests on your developers as they try to get a stable beta
> out. We released 2.0b1 for community testing in the hope of getting some
> useful feedback on it. New features shall be considered once we have a
> stable 2.0 release.

Please, go easy on the guy :-) His first language isn't English, you
asked for suggestions, he gave you some. Perhaps they're not what you
were hoping for, but please don't kick his ***, put them in the TODO
file for another day.

> > >> 5) SSL session cache support like modssl 
> >   just modssl do it ,and many website is optimized for it 
> 
> So?

So SSL websites would load faster through Pound if Pound did session
caching? Isn't that a useful improvement to Pound? (otherwise people
might see a performance drop if they start using Pound as an SSL
accelerator to their Apache web servers).

> > anotherway ,suggest add a unix SIGNGLE to pound to reload the config
> and without interrupt of current service
> 
> Have you looked at past postings? This subject was discussed to
> death...

Yes, and nothing has been done about it yet :-) I'm as guilty as anyone
else, for not contributing the code yet, but perhaps it's useful to be
reminded sometimes that people still want this feature.

By the way, messages from this list seem to have the following footer:

> To unsubscribe send an email with subject 'unsubscribe' to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> http://192.168.1.2:8080/Apsis/pound/pound_list/manage_mailboxer

Perhaps a real address would be more useful than 192.168.1.2?

Cheers, Chris.
-- 
(aidworld) chris wilson | chief engineer (chris(at)aidworld.org)

On Thu, 2005-11-03 at 14:21 +0000, Chris Wilson wrote:
> Hi Robert and all,
> 
> On Thu, 2005-11-03 at 14:41 +0100, Robert Segall wrote:
> 
> > As a product manager I hope you know better than to drop a whole list of
> > new feature requests on your developers as they try to get a stable beta
> > out. We released 2.0b1 for community testing in the hope of getting some
> > useful feedback on it. New features shall be considered once we have a
> > stable 2.0 release.
> 
> Please, go easy on the guy :-) His first language isn't English, you
> asked for suggestions, he gave you some. Perhaps they're not what you
> were hoping for, but please don't kick his ***, put them in the TODO
> file for another day.

Sorry about it. I surely didn't intend to kick anybody's. I must admit I
got rather annoyed by it.

In parentheses: I suspect that for a large part of the people on this
list (myself included) English is not the first language. I know it's a
problem, but as long as English is the lingua franca of our business I'd
rather keep it that way.

> > > >> 5) SSL session cache support like modssl 
> > >   just modssl do it ,and many website is optimized for it 
> > 
> > So?
> 
> So SSL websites would load faster through Pound if Pound did session
> caching? Isn't that a useful improvement to Pound? (otherwise people
> might see a performance drop if they start using Pound as an SSL
> accelerator to their Apache web servers).

>From the OpenSSL manual (SSL_CTX_set_session_cache_mode to be specific):

Server sessions are added to the session cache. When a client proposes a
session to be reused, the server looks for the corresponding session in
(first) the internal session cache (unless
SSL_SESS_CACHE_NO_INTERNAL_LOOKUP is set), then (second) in the external
cache if available. If the session is found, the server will try to
reuse the session.  This is the default.

The way I read it it means that server sessions ARE enabled in the
current Pound version...

BTW: I suspect that if you have enough traffic for SSL session caching
to actually make a difference then you are probably better off with
hardware acceleration, which is really quite cheap these days.

> > > anotherway ,suggest add a unix SIGNGLE to pound to reload the config
> > and without interrupt of current service
> > 
> > Have you looked at past postings? This subject was discussed to
> > death...
> 
> Yes, and nothing has been done about it yet :-) I'm as guilty as anyone
> else, for not contributing the code yet, but perhaps it's useful to be
> reminded sometimes that people still want this feature.

Not forgotten really. As you know this is a big stumbling block and I
really would like to see some more discussion of it, though perhaps not
necessarily in the context of beta-testing a new version.

> By the way, messages from this list seem to have the following footer:
> 
> > To unsubscribe send an email with subject 'unsubscribe' to
> > pound(at)apsis.ch.
> > Please contact roseg(at)apsis.ch for questions.
> > http://192.168.1.2:8080/Apsis/pound/pound_list/manage_mailboxer
> 
> Perhaps a real address would be more useful than 192.168.1.2?

Thanks, it's fixed now (I hope).
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

On Thu, 2005-11-03 at 16:54 +0100, Robert Segall wrote:
> > Perhaps a real address would be more useful than 192.168.1.2?
> 
> Thanks, it's fixed now (I hope).

And then again, maybe not...
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

On Thu, 2005-11-03 at 16:54 +0100, Robert Segall wrote:
> > Perhaps a real address would be more useful than 192.168.1.2?
> 
> Thanks, it's fixed now (I hope).

Hope spring eternal.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

Sorry for my bad english 
I try to describe as below:

config client certifact verfiy 
 at 1st ,build a config file maybe named ca.conf or combine with pound.conf 

[CA]
   name =
# the name of this ca ,such as verisign
  chain = oca,pca,rca

#the whole certifacte chain of this CA
# oca ,pca,rca is the certifacte file name 
  verify= 

  #0 - no crl
  #1 - use a static crl file 
  #2 - use a URL to retrieve  CRL 
     URL=http://210.74.41.60/crl/CRLFile.crl
  #3 -directory  based CDP  (crl distibute point)
  #4- OCSP
  File = 
  # if verify=1,use this static file
 URL=
  # if verify=2 ,use this to specify a url to retriev CRLs,for exmples 
URL=http://210.74.41.60/crl/CRLFile.crl
  can refer to http://www.openca.org/ocspd/
  LDAP=
  # if verify=3 ,use certifacte CDP and this ldp address to retrieve the CRLs
,LDAP=210.74.41.60:389
  # for CDP based CRL retrieve ,you can refer to 
  http://eaptls.spe.net/
  
  crlupdateinterval= 
  OCSPURL= 
 # specify the OCSP url
  OCSPresponecert=
# ocsp response certifact 

[END]

you can setup more CAs in ca.conf . 
In pound.conf ,now can add a option ClientCAs ,

ClientCAs = ca1,ca2 ....

if you defind 2 CAs in ca.conf as  
[CA]
name=ca1
chain= oca,pca,rca
..................
[END]
[CA]
name=ca2
chain=catest,rca
.....
[END]

now you can combine all 1st certifacts  to build a file  as CAlist 
and combine all certifacts as a verifylist 
so CAList = oca+catest ,verifylist= oca,pca,rca,catest

but if use remove  1 certifact from CAchain ,but verifylist do not changed. it
is not good .

so suggest add a CApath verify option ,use can put all certifaces into the
CApath directory

Actually ,all commerical products have this CApath option. pls see attach file


when pound running ,1st check the ClientCAs process:
1) check the ClientCA's crl verify method
 if it is url based ,now open a separate thread to download the crl from URL
periodly
 
 a client submit their client cerifacts to verify as blow process
1) pound verify the certificate chain
2) verify crl 
     ---read client cerficate ,get the issuer and compare with CAlist ,
     ----find wich CA issue this certifacte 
     --- read this ca crl verify method
     ---for file,url, just simple use crl files to verify
    -- for ocsp ,make request and send it to OCSP server
   -- for CDP ,exactly the CDP from client cert 
      for exmples 
                   CN=CRL31
                    O=CFCA OCA
                    C=CN

    use CDP .LDAP to retrive the crl from LDAPserver 
and verify client certs

   you can import attached  pfx  to see it ,its ldap address is 210.74.41.60


SSL session CACHE can improve the preformance ,so all commerical product do it
.



   

Sorry for my bad English 
I try to describe as below:

config client certificate verify 
 at 1st ,build a comfit file maybe named ca.conf or combine with pound.conf 

[CA]
   name =
# the name of this ca ,such as verisign
  chain = oca,pca,rca

#the whole certificate chain of this CA
# oca ,pca,rca is the certificate file name 
  verify= 

  #0 - no crl
  #1 - use a static crl file 
  #2 - use a URL to retrieve  CRL 
     URL=http://210.74.41.60/crl/CRLFile.crl
  #3 -directory  based CDP  (crl distribute point)
  #4- OCSP
  File = 
  # if verify=1,use this static file
 URL=
  # if verify=2 ,use this to specify a url to retrieve CRLs,for examples 
URL=http://210.74.41.60/crl/Carlisle.crl
  can refer to http://www.openca.org/ocspd/
  LDAP=
  # if verify=3 ,use certificate CDP and this ldp address to retrieve the CRLs
,LDAP=210.74.41.60:389
  # for CDP based CRL retrieve ,you can refer to 
  http://eaptls.spe.net/
  
  crlupdateinterval= 
  OCSPURL= 
 # specify the OCSP url
  OCSPresponecert=
# ocsp response certificate 

[END]

you can setup more CAs in ca.conf . 
In pound.conf ,now can add a option ClientCAs ,

ClientCAs = ca1,ca2 ....

if you defind 2 CAs in ca.conf as  
[CA]
name=ca1
chain= oca,pca,rca
..................
[END]
[CA]
name=ca2
chain=catest,rca
.....
[END]

now you can combine all 1st certifacts  to build a file  as CAlist 
and combine all certifacts as a verifylist 
so CAList = oca+catest ,verifylist= oca,pca,rca,catest

but if use remove  1 certifact from CAchain ,but verifylist do not changed. it
is not good .

so suggest add a CApath verify option ,use can put all certifaces into the
CApath directory

Actually ,all commerical products have this CApath option. pls see attach file


when pound running ,1st check the ClientCAs process:
1) check the ClientCA's crl verify method
 if it is url based ,now open a separate thread to download the crl from URL
periodly
 
 a client submit their client cerifacts to verify as blow process
1) pound verify the certificate chain
2) verify crl 
     ---read client cerficate ,get the issuer and compare with CAlist ,
     ----find wich CA issue this certifacte 
     --- read this ca crl verify method
     ---for file,url, just simple use crl files to verify
    -- for ocsp ,make request and send it to OCSP server
   -- for CDP ,exactly the CDP from client cert 
      for exmples 
                   CN=CRL31
                    O=CFCA OCA
                    C=CN

    use CDP .LDAP to retrive the crl from LDAPserver 
and verify client certs

   you can import attached  pfx  to see it ,its ldap address is 210.74.41.60


SSL session CACHE can improve the preformance ,so all commerical product do it
.



   











--------------------------------------------------------------------------------






--------------------------------------------------------------------------------

On Mon, Oct 31, 2005 at 05:36:34PM +0100, Robert Segall wrote:
> On Mon, 2005-10-31 at 16:50 +0100, Steven Van Acker wrote:
> > Hello,
> > 
> > have you considered using (f)lex/yacc/bison instead of regex for
configuration file
> > processing ?
> 
> Certainly. Decided it isn't worth the extra weight. For your info: I
> worked on compiler and interpreter development in the past, so I know
> quite well what's involved.

Which extra weight are you referring to ? It seems to me that
implementing a flex/bison parser for Pound would provide a more 
powerful, more extendible and better understood configuration subsystem. 
An added bonus is that flex/bison is a well-tested way of parsing 
configuration files, and would thus reduce the possibility of bugs 
in that subsystem of Pound.

Unless I'm mistaken, the configuration is only read in and parsed once, 
so I have no idea where the extra weight would be ? Do you mean binary size ?

greets,
-- Steven

On Mon, 2005-11-07 at 17:09 +0100, Steven Van Acker wrote:
> Which extra weight are you referring to ? It seems to me that
> implementing a flex/bison parser for Pound would provide a more 
> powerful, more extendible and better understood configuration subsystem. 
> An added bonus is that flex/bison is a well-tested way of parsing 
> configuration files, and would thus reduce the possibility of bugs 
> in that subsystem of Pound.
> 
> Unless I'm mistaken, the configuration is only read in and parsed once, 
> so I have no idea where the extra weight would be ? Do you mean binary size ?

Binary size is secondary. I meant above all portability: do you write
for lex or flex, and which version? Is it yacc, byacc, bison? On SysV or
BSD? How is a terminal defined? I think you get the idea.

For the time being I think the config parsing is really quite simple,
and we haven't seen any issues with it. Speed is not an issue (it is
only done once, as you rightly remark), and the complexity is minimal.

The bigger picture: we seem to lack a standard for Unix config files (or
perhaps we have too many of them). Until such a standard emerges I think
we can live with the existing parser.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

This is to announce the release of Pound v2.0b2. This is an experimental
interim release.

Changes in this version:

- fixed the problem with defining HTTPS listeners.

- you can now define the HAport with an optional address, so that you
can run your health monitor on an arbitrary machine (rather than being
limited to the back-end server address).

The software is at version 2.0b2 (beta-ish quality). A lot of testing
(especially under heavy loads and complex configurations) is still
required - please send us your feedback. Bug reports are of particular
importance; let's try to make a 2.0 release as clean as possible!

Reports that the program works as expected are just as important. Please
let us know.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

This is to announce the release of Pound v2.0b3. This is an experimental
interim release.

Changes in this version:

- added a -V flag to print the program version

- fixed a couple of bugs, most notably the segfault related to
HeadRequire definition

The software is at version 2.0b3 (beta-ish quality). A lot of testing
(especially under heavy loads and complex configurations) is still
required - please send us your feedback. Bug reports are of particular
importance; let's try to make a 2.0 release as clean as possible!

Reports that the program works as expected are just as important. Please
let us know.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904

> This is to announce the release of Pound v2.0b3. This is an experimental
> interim release.

Updated source rpm is here:

http://www.invoca.ch/pub/packages/pound/beta/

Simon